Underway magic cult The campaign has caught the attention of cybersecurity researchers by leveraging a lifelike fake payment screen to capture sensitive data entered by unsuspecting users.
Malwarebytes Threat Intelligence Director Jérôme Segura said: “What’s notable here is that the skimmer looks more authentic than the original payment page.”
The term Magecart is an umbrella term for several cybercriminal groups that use online skimming techniques to steal personal data from websites, most commonly customer details and payment information for e-commerce websites. .
The name comes from the group’s initial targeting of the Magento platform. According to data shared by Sansec, the first of his Magecart-like attacks was observed in 2010. As of 2022, it is estimated that over 70,000 stores have been compromised by web skimmers.
Also known as formjacking, these digital skimming attacks traditionally utilize various kinds of JavaScript tricks to siphon sensitive information from website users.
In the latest iteration, observed by Malwarebytes at an unnamed Parisian travel goods store running on the PrestaShop CMS, a skimmer called Kritec was inserted to intercept the checkout process and present a fake payment dialog to the victim. I was.
Kritec, previously detailed by Akamai and Malwarebytes in February 2023, was found to impersonate legitimate third-party vendors such as Google Tag Manager as an evasive technique.
According to the cybersecurity firm, the skimmer is complex and highly obfuscated, loading a malicious modal when you select credit card as a payment option from a compromised website.
Once the payment card details are collected, the victim is briefly shown a fake error message about canceling the payment before being redirected to the actual payment page, at which point the payment is made.
“The skimmer drops a cookie indicating that the current session has been marked as complete,” Segura explains. “When the user comes back and tries to pay again, the malicious modal will disappear.”
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
The threat actors behind this operation are said to be using different domains to host the skimmer, although they have similar names.[name of store]-loader.js”, suggesting that the attack uses custom modals to target various online stores.
“It’s getting really hard to tell if an online store is trustworthy, and this case is a good example of an unsuspecting skimmer,” Segura said.
The findings come a little over two months after Malwarebytes discovered another web skimmer that harvests browser fingerprint data such as IP addresses, User-Agent strings, and credit card information. This could be an attempt to monitor invalid users such as bots or security researchers. .
